Four years to fix security vulnerabilities in NX-OS code is way too long. Its amazing that customers accept that Cisco will take years to patch bugs in the latest and most actively developed version for data centre switch AFTER public disclosure. Reporting was done via internal channels from a trusted third party and I can’t see any excuses for such a poor security response.
The exploits, which I formally reported to Cisco, were never made public, until over four years later.
Its clear that Cisco doesn’t care about the security of its products with regular vulnerabilities across all of its products and then very slow reaction and patching.
Summary of Cisco NX-OS security vulnerabilities I uncovered – Maximum Entropy : http://www.feeny.org/summary-cisco-nx-os-security-vulnerabilities-uncovered/